How to detect a system date roll back?

2019-05-29 07:47发布

问题:

How could you detect when the user has rolled back the system date? The usage situation is to prevent circumventing licensing and the program will need to detect a roll back made that happened when it was not running.

回答1:

Well, you can use an embedded database in your program with an encrypted system date that gets inserted in every once in a while. If you see that a "newer" date is before some previous date, you can see that somebody changed the system date. It's just an idea.



回答2:

There isn't going to be a software solution to this that cannot be circumvented somehow.

Assuming you are giving out demo software with a short free period, you can record the install datetime in an encrypted log as @Darioo has suggested. The location of the log file should be somewhere that isn't removed by the uninstaller - but the log should be unobtrusive and small.

If the encrypted log is deleted, the license can auto-expire. If the date is earlier (when the log is decrypted and read) then the license can auto-expire. You may want to consider the edge case of daylight-savings mode - the clock may go back in the autumn/fall by an hour.

If the application is reinstalled, it keeps the old encrypted log where it is and uses that so the same license period continues uninterrupted.

If the encrypted log is deleted, and the software is re-installed then it will have no way to tell the difference between the first install and a re-install so they will circumvent it. However, this will be beyond most users particularly if the encrypted log is well hidden. For example you could hide it as an Alternate Data Stream .

Note: I'll leave my other post unless it gets voted down - in which case I'll remove it as it doesn't seem to be so helpful.



回答3:

Another idea is to also add some NTP connectivity to get current date from Internet.



回答4:

I think I prefer @darioo's suggestion of having an encrypted log. Just thought I would add that changes to the System Time are written to the Windows Security Log with EventID 4616. Here's the message:

The system time was changed.

Subject:    
    Security ID:             TheComputer\Me     
    Account Name:            Me     
    Account Domain:          TheComputer    
    Logon ID:                0x283df

Process Information:    
    Process ID:              0x12b8     
    Name:                    C:\Windows\System32\dllhost.exe

Previous Time:               s010-‎11‎-‎15T09:10:32.000000000Z 
New Time:                    ‎2010‎-‎11‎-‎15T09:10:32.000000000Z

This event is generated when the system time is changed. It is normal for the Windows 
Time Service, which runs with System privilege, to change the system time on a regular 
basis. Other system time changes may be indicative of attempts to tamper with the 
computer.

Of course, the audit log can be cleared out with appropriate permissions. So it could be circumvented. Also, I'm using Windows 7 - it's also on Windows Server 2008 and there is an equivalent on Windows Server 2003 (http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4616).

The advantage of this approach is that you can tell when the time was was changed - what it was previously and what it was changed to. So you can detect a negligible change of an hour or so compared to a change of a year.